Admins can implements SSO for ZohoCRM via Office365 credentials which basically allows user to signin to Zoho CRM using their O365 credentials. 

And from within AzureAD, admins can manage access to various SAAS apps (like ZohoCRM) to which users may/may not have access and also revoke/limit access as required. 

The problem is, in accounts.zoho.com the end users can disconnect this SSO setup. They can do so by going to:

Accounts.Zoho.com > Settings > Linked Accounts (Manage your email ID mapping with federated Sign in using Google, Google Apps or Yahoo! account.) 

Here the user can just click on Remove OpenID Mapping and break the federated SignIn setup by the admin, resulting in unnecessary support tickets. 

Companies are using federation to have better security and control over who can access company apps and how and when they can access. And also reporting capabilities around it. 

So it is important that end users should not be able to break the work admin has carried out or any setup such as this.